Jump to content

Another Certificate Question...

Lost In Cyberia

Recommended Posts

Hey everyone, another question on certificate chains...

When a site applies for an ssl certificate, do they have to apply to a root CA? or can they apply to a root, or one of the many smaller CA companies? Then once they obtain a cert from that smaller CA, the company gets it's cert signed by a real root? Is evidence of this, when you look at the certificate viewer in a browser and it says something like

SomeSmallerCA inc.

The company, example.com applied for their cert at SomeSmallerCA, inc, which in turned got it's cert signed by Verisign?

Now if I see something like :


The above means that the company, example.com applied directed to the root CA, but they then signed their main cert with an intermediary cert?

So one is a bottom up application and the other is a top down application process? Can there be a mixture of both? Where you apply to a smaller company which goes up to a root, but the root signs an intermediary, before then finally signing to the smaller CA?


Link to comment
Share on other sites

It's possible to purchase a signing cert. That means that you can, using this cert, sign someone else's cert. When you sign someone else's cert, you include your own cert chain in the resulting cert.

So let's say you're a company called CertFirm. You purchase for some ungodly amount a signing cert from Verisign. You end up with a private key and a cert signed by Verisign so the cert chain you end up with is:

Verisign -> CertFirm.

Then someone approaches you and asks you to sign their cert for whatever.com. You decide to do so and return the signed cert which when displayed will say:

Verisign -> CertFirm -> whatever.com

There is no involvement from Verisign in this latter part of the process.

Understand that when you have a key-pair (private key and cert) you can do a grand total of 2 things:

1) Sign data using your private key which can be verified with your public key

2) Encrypt data using someone's public key which that someone can descrypt using the private key.

In both those scenarios the public and private key MUST be from the same key-pair otherwise it won't work.

So when you acquire the cert of someone it's to do one of those 2 things. In the case of an https connection, you as a client simply download the cert (if you don't have it already), dream up some unique session key, encrypt it using that cert and send it back to the server. Since ONLY the server has (well, should have) access to the private key only that server can decrypt the data, end up with the same unique session key and the two of you will now communicate by encrypting the data you want to send to eachother using the unique session key.

When you look at the certificate by clicking on the lock icon in your browser for the previously discussed whatever.com and you see that certificate chain, the way you should read it is:

CertFirm vouches for the fact that whatever.com is the real whatever.com.

Verisign vouches for the fact that CertFirm is the real "CertFirm".

Note that in that description above at no point it says that Verisign vouches for "whatever.com".

When you place a signing company's certificate in your trust store, what you're effectively saying is "I trust anybody vouched for by THIS signing company to really be who they say they are".

Given that chain again, when I add Verisign to my trust store, it would mean that I automatically trust CertFirm to be who they say they are, HOWEVER I do NOT trust whatever.com to be who they say they are because I haven't put CertFirm's certificate in my trust store.

To my understanding you cannot have a certificate signed by multiple companies. You can theoretically have multiple certificates for the same private key each signed by a different CA, but it would kind of defeat the point and you end up with the problem of which cert you're going to distribute to people since you have a number of them now. Also, the concept used here is that of the Trusted Third Party (=the CA) which you are trying to subvert into becoming the Trusted Fourth (Fifth, Sixth) Party... And each signing is costing you money so you might aswell spend it with the most trusted company you can find that's willing to do so.

The main difference between the various CA's is the level of verification they require before they will sign your cert. Like with that signing cert. Rest assured that if you want a signing cert signed by Verisign, you're going to have to show up at their doorstep, in person, with a passport and all sorts of paperwork that proves you are who you say you are.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...